Skip to content

Instantly share code, notes, and snippets.

@joepie91
Last active October 6, 2024 08:38
Show Gist options
  • Save joepie91/5a9909939e6ce7d09e29 to your computer and use it in GitHub Desktop.
Save joepie91/5a9909939e6ce7d09e29 to your computer and use it in GitHub Desktop.
Don't use VPN services.

Don't use VPN services.

No, seriously, don't. You're probably reading this because you've asked what VPN service to use, and this is the answer.

Note: The content in this post does not apply to using VPN for their intended purpose; that is, as a virtual private (internal) network. It only applies to using it as a glorified proxy, which is what every third-party "VPN provider" does.

  • A Russian translation of this article can be found here, contributed by Timur Demin.
  • A Turkish translation can be found here, contributed by agyild.
  • There's also this article about VPN services, which is honestly better written (and has more cat pictures!) than my article.

Why not?

Because a VPN in this sense is just a glorified proxy. The VPN provider can see all your traffic, and do with it what they want - including logging.

But my provider doesn't log!

There is no way for you to verify that, and of course this is what a malicious VPN provider would claim as well. In short: the only safe assumption is that every VPN provider logs.

And remember that it is in a VPN provider's best interest to log their users - it lets them deflect blame to the customer, if they ever were to get into legal trouble. The $10/month that you're paying for your VPN service doesn't even pay for the lawyer's coffee, so expect them to hand you over.

But a provider would lose business if they did that!

I'll believe that when HideMyAss goes out of business. They gave up their users years ago, and this was widely publicized. The reality is that most of their customers will either not care or not even be aware of it.

But I pay anonymously, using Bitcoin/PaysafeCard/Cash/drugs!

Doesn't matter. You're still connecting to their service from your own IP, and they can log that.

But I want more security!

VPNs don't provide security. They are just a glorified proxy.

But I want more privacy!

VPNs don't provide privacy, with a few exceptions (detailed below). They are just a proxy. If somebody wants to tap your connection, they can still do so - they just have to do so at a different point (ie. when your traffic leaves the VPN server).

But I want more encryption!

Use SSL/TLS and HTTPS (for centralized services), or end-to-end encryption (for social or P2P applications). VPNs can't magically encrypt your traffic - it's simply not technically possible. If the endpoint expects plaintext, there is nothing you can do about that.

When using a VPN, the only encrypted part of the connection is from you to the VPN provider. From the VPN provider onwards, it is the same as it would have been without a VPN. And remember, the VPN provider can see and mess with all your traffic.

But I want to confuse trackers by sharing an IP address!

Your IP address is a largely irrelevant metric in modern tracking systems. Marketers have gotten wise to these kind of tactics, and combined with increased adoption of CGNAT and an ever-increasing amount of devices per household, it just isn't a reliable data point anymore.

Marketers will almost always use some kind of other metric to identify and distinguish you. That can be anything from a useragent to a fingerprinting profile. A VPN cannot prevent this.

So when should I use a VPN?

There are roughly two usecases where you might want to use a VPN:

  1. You are on a known-hostile network (eg. a public airport WiFi access point, or an ISP that is known to use MITM), and you want to work around that.
  2. You want to hide your IP from a very specific set of non-government-sanctioned adversaries - for example, circumventing a ban in a chatroom or preventing anti-piracy scareletters.

In the second case, you'd probably just want a regular proxy specifically for that traffic - sending all of your traffic over a VPN provider (like is the default with almost every VPN client) will still result in the provider being able to snoop on and mess with your traffic.

However, in practice, just don't use a VPN provider at all, even for these cases.

So, then... what?

If you absolutely need a VPN, and you understand what its limitations are, purchase a VPS and set up your own (either using something like Streisand or manually - I recommend using Wireguard). I will not recommend any specific providers (diversity is good!), but there are plenty of cheap ones to be found on LowEndTalk.

But how is that any better than a VPN service?

A VPN provider specifically seeks out those who are looking for privacy, and who may thus have interesting traffic. Statistically speaking, it is more likely that a VPN provider will be malicious or a honeypot, than that an arbitrary generic VPS provider will be.

So why do VPN services exist? Surely they must serve some purpose?

Because it's easy money. You just set up OpenVPN on a few servers, and essentially start reselling bandwidth with a markup. You can make every promise in the world, because nobody can verify them. You don't even have to know what you're doing, because again, nobody can verify what you say. It is 100% snake-oil.

So yes, VPN services do serve a purpose - it's just one that benefits the provider, not you.


This post is licensed under the WTFPL or CC0, at your choice. You may distribute, use, modify, translate, and license it in any way.


Before you comment: Be aware that any non-constructive comments will be removed. This includes advertising for VPN providers (yes, even when you phrase the marketing claims like a question), trolling, harassment, insults towards other people, claims that have already been addressed in the article, and so on.

If your comment isn't a genuine question or a concrete counterargument supported by evidence, it probably doesn't belong here.

@RivenSkaye
Copy link

VPNs are very much useful for "when should I" argument 2.
My ISP would frequently squeeze traffic to known public trackers, which hasn't been an issue ever since I started using glorified proxies. And it also helps circumvent blocks on certain sites, which is precisely what I need it for.

As such, a third point to note is "when you need access to services or resources that you can't reach through your current network or ISP."

@dxgldotorg
Copy link

Sunshine, you fail to understand the difference between using VPN in general and using VPN SERVICE. I highlighted the important word for you, but there is not much hope it'll make any difference.

I use both VPN and proxy all the time, but I set it up myself on a small VPS.

For me, my VPN lives inside my router and gives me remote access to my connected devices.

@LokiFawkes
Copy link

For me, my VPN lives inside my router and gives me remote access to my connected devices.

And this is what I like to call, an actual VPN.

@M-u-m-p-i-t-z
Copy link

M-u-m-p-i-t-z commented Jul 31, 2023

Some questions:

But I want to confuse trackers by sharing an IP address!

Your IP address is a largely irrelevant metric in modern tracking systems. Marketers have gotten wise to these kind of tactics, and combined with increased adoption of [CGNAT](https://en.wikipedia.org/wiki/Carrier-grade_NAT) and an ever-increasing amount of devices per household, it just isn't a reliable data point anymore.

Marketers will almost always use some kind of other metric to identify and distinguish you. That can be anything from a useragent to a [fingerprinting profile](https://panopticlick.eff.org/). A VPN cannot prevent this.

Just suppose my ISP doesn't use CGNAT but I keep my IP for weeks, and my browser doesn't allow fingerprinting because only fake data is sent. If I visit different websites without VPN, the fingerprint is always different but I have the same IP, what sense does that make, you can not track easier?
If I use a VPN and / or proxies, I get a different IP every day that I share with thousands of other people and always have a different fingerprint. What should not work in this practice?

When using a VPN, the only encrypted part of the connection is from you to the VPN provider. From the VPN provider onwards, it is the same as it would have been without a VPN. And remember, the VPN provider can see and mess with all your traffic.

Yes, but how can an outsider see which of the thousands of users is accessing which websites? The data streams that go in cannot be assigned to the decrypted streams that go out. Thus, you have 1000 defendants when someone fucks up.
Before the question is answered again with "But the VPN provider knows everything", please read my last question.
The VPN provider can know everything, but does not have to.

Because a VPN in this sense is just a glorified proxy. The VPN provider can see all your traffic, and do with it what they want - including logging.

The ISP does that too and sells the data and you can't always choose the ISP. A VPN provider that shares data with its customers without obtaining their consent is acting illegally and committing a crime itself. The ISP writes it in its terms of service.

And remember that it is in a VPN provider's best interest to log their users - it lets them deflect blame to the customer, if they ever were to get into legal trouble. The $10/month that you're paying for your VPN service doesn't even pay for the lawyer's coffee, so expect them to hand you over.

Wouldn't it be much easier to tell the authorities "Sorry I can't identify my users because I have no logs! I can only provide all users as a list"? It would never come to a criminal complaint, how do you want to prove a specific person did a crime? For what reason should the VPN provider here can be legally prosecuted, as long as no law requires that I do not log my users, which in turn must then be written in the terms of service?

@LokiFawkes
Copy link

@M-um-p-i-t-z Exactly as stated: The IP address is a useless metric these days.

Firstly, good luck actually setting up a browser that flies under the radar like that. If you sign in anywhere, your browser will be tracked, your new fingerprint will be tracked as long as you stay signed in or sign in again.

Marketers employ many different methods of tracking. From the classic cross-site tracking cookie, to the modern fingerprinting methods we know today. You basically aren't safe from this unless you're using Tor Browser (with or without actually using the Tor network) and not signing in anywhere.

As long as you're signed in, or allowing cookies, or allowing javascript, or it's able to get actual canvas sizes, etc from your browser, no proxy in the world can protect you.

The VPN provider that shares data of its customers without obtaining their consent is actually protected by silver tongued legalese in the terms of service and gag orders in the law.

It is in fact not easier to tell the authorities, "Sorry I can't identify my users because I have no logs!". That's a good way to get in trouble with 14 Eyes surveillance laws. And no, those surveillance laws are not limited to the 14 core nations of the Eyes. Most nations of the world are in on it without increasing the number of "eyes" in the name, and even if your company is from another country, if you have servers in an Eyes country, you're subject to their laws.

If they can't directly command you by law to conduct mass surveillance, they can hold you accountable for "letting" your users commit what these countries consider to be crimes. Such as journalism, protests, or god forbid being Fr*nch.

@Naleksuh
Copy link

Naleksuh commented Aug 3, 2023

I think the IP part is confusing people because first the post says "You're still connecting to their service from your own IP, and they can log that." then later it says "Your IP address is a largely irrelevant metric in modern tracking systems. ". I think the confusion is because joepie91 is talking about tracking by the government in the first one, and tracking by advertisers in the second one. It might be a good idea to clarify that.

@LokiFawkes It depends on the fingerprinting software. Some include your IP address, other people don't. Either way, there is more to fingerprinting than your IP address. Here's a test site many people use: https://coveryourtracks.eff.org/

Edit: Actually the original gist already links to this site

@LokiFawkes
Copy link

@Naleksuh Yeah, it seems a lot of people are confused by the concept of attacking the same assertion from multiple angles.

@M-u-m-p-i-t-z
Copy link

Firstly, good luck actually setting up a browser that flies under the radar like that. If you sign in anywhere, your browser will be tracked, your new fingerprint will be tracked as long as you stay signed in or sign in again. Marketers employ many different methods of tracking. From the classic cross-site tracking cookie, to the modern fingerprinting methods we know today. You basically aren't safe from this unless you're using Tor Browser (with or without actually using the Tor network) and not signing in anywhere.
Since some time Firefox prevents exactly these practices with its tracking protection, each domain has its own memory here where no other domain can access and if you use containers in addition, even the domain gets a different memory in each container.
As long as you're signed in, or allowing cookies, or allowing javascript, or it's able to get actual canvas sizes, etc from your browser, no proxy in the world can protect you.
With each domain the browser fingerprint changes and remains valid for this domain until the browser is closed but each container has different fingerprints for the same domains and another IP.
The VPN provider that shares data of its customers without obtaining their consent is actually protected by silver tongued legalese in the terms of service and gag orders in the law.
My government's laws prohibit the unstoppable storage of connection data. There must be a reasonable suspicion of a serious crime and there must be a suspect, not just thousands of VPN users because someone might have done something wrong.

It is in fact not easier to tell the authorities, "Sorry I can't identify my users because I have no logs!". That's a good way to get in trouble with 14 Eyes surveillance laws. And no, those surveillance laws are not limited to the 14 core nations of the Eyes. Most nations of the world are in on it without increasing the number of "eyes" in the name, and even if your company is from another country, if you have servers in an Eyes country, you're subject to their laws.
Why should a company get into trouble with the secret service if it complies with the laws in force in its country, where no one has to store any data. And if it would be so easy to get companies to record, why does even the NSA have its own department that deals with cracking VPN connections?
Be honest, if the secret service is looking for you, it will find you, no question, but who is wanted by the secret service?
The only danger you are exposed to when using VPN or even Tor is that you are swimming in a pot together with a few criminals, the price is not too high for me to protect my privacy.

@nukeop
Copy link

nukeop commented Aug 4, 2023

What's the point of fingerprinting if my fingerprint changes every 30s? And what's the point of tracking if I block tracking scripts and ads?

@LokiFawkes
Copy link

@M-um-p-i-t-z I can answer your entire response by answering your last sentence. You're not protecting your privacy. This is called the action bias.

But sure, if you think Firefox is protecting you by changing your fingerprint, go ahead and double check with the EFF.
No, it's not.

You have to set everything manually, make your canvas generic (thereby also limiting the screenspace in your browser or glitching certain graphics), and put every tab in a container. And even then, it's still not enough.

I'm a firefox user, with container tabs, strict privacy settings to the point that about:config is unrecognizable from the original, whole nine yards. And yet sites still find ways to worm cross site cookies across the containers. It's a neverending arms race, and the one thing they're not concerned with, is the IP address.

@LokiFawkes
Copy link

@nukeop Let's pretend you aren't the butt of the joke in this entire thread. Just for a second.
To what are you referring?

@LokiFawkes
Copy link

LokiFawkes commented Aug 6, 2023

@nukeop
You did not answer. To what are you referring?
Have you forgotten that it is you who knows less than nothing on the topic as you have proven multiple times in this thread?

Also, github gists is a discussion platform.

@vanderplancke
Copy link

@nukeop You did not answer. To what are you referring? Have you forgotten that it is you who knows less than nothing on the topic as you have proven multiple times in this thread?

Also, github gists is a discussion platform.

You know nukeop is a vpn shill right. Likes to attack anyone calling it out on it's grift. Ignore it and it will go away.

Copy link

ghost commented Aug 10, 2023

I agree. though I use one, because i trust it more, travel and torrenting

@M-u-m-p-i-t-z
Copy link

@LokiFawkes

@M-um-p-i-t-z I can answer your entire response by answering your last sentence. You're not protecting your privacy. This is called the action bias.

But sure, if you think Firefox is protecting you by changing your fingerprint, go ahead and double check with the EFF. No, it's not.

What is this supposed to prove? But I did it for you with the result that I double check on two days with 3 containers with different IPs from VPNs and I get 3 Yes in every single tab on both days. Tor Browser also. Seems like u have a mass of changes in about:config, that you look unique to the side. I am not. And your IP can be tracked, so they do so. Whether this is relevant or whether you do not want to believe it is irrelevant. So stop spreading such generalizations, they are not true.
Screenshot

@clippycoder
Copy link

clippycoder commented Aug 15, 2023

A few comments:

  • I think you are being to harsh on VPN services here. I understand that we cannot know for sure if a specific VPN provider is not logging you, but I wouldn't go so far as to say that none like that exist. It's a bit of a gamble, maybe, but sometimes that's better than nothing.
  • Additionally, I use a free VPN service to access geo-blocked content and to bypass network restrictions. I don't really trust it's privacy value, given that it's free, but for my purposes I'm content with that. And also, being a free tier of an otherwise paid service, it has an nice-looking and intuitive UI, much more than can be said for many open source projects.

Overall, given that VPNs provide benefits outside of privacy, and that privacy may very well be also provided, I think VPNs, even paid ones, have their place. But I don't think that this should detract from your argument that with no verifiability, VPN privacy may often be false advertising.

@douma
Copy link

douma commented Aug 31, 2023

I use VPN (OpenVPN with Pihole), with a private/ dedicated ip address, on a private VPS server, only to hide my traffic from my ISP (ISP's have the biggest share in selling data), to hide my true location for the websites I visit, to block ads and to block sites like facebook, google from tracking me... and to log my own network activities. In this way I have found a virus on my computer sending packages of information every hour to a certain host. Legally they could find out what websites I visit, but a VPN adds another threshold for them to find out. Don´t give them (legal agencies) any reason to track you down. Doing something illegal on the internet is extremely stupid, even with a VPN.

@eos1973
Copy link

eos1973 commented Sep 14, 2023

quite a lot of comments and discussions, apparently there is no complete solution.
Except acquiring a service from some server in a corner of Eastern Europe. XD

@nukeop
Copy link

nukeop commented Sep 14, 2023

Mullvad VPN is easily the best

Copy link

ghost commented Sep 14, 2023

Hello everyone.

These same questions that can be asked here about the cloud's open source. It is contradictory that open software works in cloud like sass (software as a service) or baas (backend as a service) etc. Because, in theory, we do not have access to any source code and the control of this server.

Some people have created the software license as AGPL for this. Although the company distributes the software to AGPL, you can never check which function is being performed. First, because we have a feeling of arrest, because you don't have the money to execute the software with your own infrastructure (hosting, physical server). And second, because we have the feeling of not knowing the future direction of the cloud product or service.

Just as we cannot trust VPNs, I don't think we should trust cloud services that uses open license as AGPL, MIT, GPLv2, GPLv3 etc. Does these concerns of mine make sense?

@panzer-arc
Copy link

This approach is parroted in various MSM articles but doesn't address all the potential concerns. I trust VPN providers more than my ISP. I see no evidence that I should trust my ISP by default even if they don't MITM me. They would know every single domain I connect to on all of my devices if I didn't tunnel my traffic. Why can't I find an explanation of how my data is used/stored on their site?
https://www.privacyguides.org/en/basics/vpn-overview/#should-i-use-a-vpn

@nukeop
Copy link

nukeop commented Sep 30, 2023

Yeah, it's a list of defeatist, often false or easily refuted bullet points written in a style of total confidence, which to some impressionable people may look like competence. Some of the bullet points are actually strawmen that nobody who uses VPNs would argue.

@Finoderi
Copy link

Finoderi commented Oct 2, 2023

Why can't I find an explanation of how my data is used/stored on their site?

Can you find something like that on the site of you favourite VPN service?
Have you actually read articles that short summary on privacyguides.org is referring to?

@rfc-2549
Copy link

rfc-2549 commented Oct 2, 2023

Mullvad is the only good VPN services
Either that or tor

@humanlyhuman
Copy link

humanlyhuman commented Oct 4, 2023

Mullvad is the only good VPN services Either that or tor

ivpn is pretty good too
check out https://www.ivpn.net/blog/why-you-dont-need-a-vpn

@sjorspa
Copy link

sjorspa commented Oct 13, 2023

A valid reason for VPN is by NOT want to hide your VPN but make sure you connect with a trusted one, IE if you have a dynamic IP and need to go to a firewalled site, this might be a very valid point. Another valid point can be Geolocation barriers, IE many content providers block based on your countries IP. The other points are pretty valid by the way. For real privacy use Tor and make sure that you don't login with accounts that you also use on your normal connection.

@sneer69
Copy link

sneer69 commented Oct 27, 2023

"A VPN provider specifically seeks out those who are looking for privacy, and who may thus have interesting traffic. Statistically speaking, it is more likely that a VPN provider will be malicious or a honeypot, than that an arbitrary generic VPS provider will be."

Can I see that statistic and your dataset?

@papahuge
Copy link

papahuge commented Nov 3, 2023

image
^
I'm pretty sure this is why most people need a glorified proxy service.

@5aturnius
Copy link

image ^ I'm pretty sure this is why most people need a glorified proxy service.

Precisely. I cannot believe the idiocy of morons on the internet with the idea that there is some way to outsmart intelligence agencies with the smartest people on the planet working together stacked against them. That there are thus conversely certain activities that "expose" one to said agencies. We need legislation to fight this battle on the same scale that this violation of user privacy operates on.

@nukeop
Copy link

nukeop commented Nov 29, 2023

Leaked NSA documents prove that they are powerless against TOR and have been since its inception.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment